Reauthorizing the Cybersecurity Information Sharing Act of 2015: Common Sense for America’s Security

Nov 26, 2025

In 2015, Congress passed the Cybersecurity Information Sharing Act (CISA 2015) as part of a landmark bipartisan effort designed to protect America’s digital infrastructure. The idea was to bridge a chronic gap that previously hindered our digital defenses: the disconnect in sharing real-time cyberthreat information between public and private entities.

A decade later, the digital and political environment has transformed in ways that legislators couldn’t have predicted at the time. Artificial intelligence, foreign influence operations, and critical infrastructure vulnerabilities have redefined the landscape. A recent Issue One report on the politicization of cybersecurity notes that “the safety net that previously helped contain and coordinate these threats is weakening.” Hyperpartisanship has undermined the traditionally bipartisan security space, leading to the expiration of CISA 2015 and false narratives about federal cybersecurity efforts.

As Congress weighs priorities for the next legislative session, it should listen to the chairman of the Homeland Security Committee, the secretary of Homeland Security, the nominee to lead the Cyber and Infrastructure Security Agency (CISA), and hundreds of private businesses who are calling for the reauthorization of CISA 2015. This is not a nice-to-have option; it is a bipartisan national security necessity.

Before diving into why reauthorization matters, it is essential to clarify a frequent source of confusion in the halls of Congress: the difference between CISA 2015 the law and CISA the agency.

CISA (the Law) vs. CISA (the Agency): Two Different Elements of American Cybersecurity Working Together

CISA 2015 is a statute. It provides the legal foundation for how private companies, federal departments, and state or local entities can voluntarily share information about cybersecurity threats and vulnerabilities. It established liability protections for companies that share data in good faith, requirements for all participants to protect that data, and procedures for anonymizing personally identifiable information.

CISA is a federal agency. Created in 2018 through the Cybersecurity and Infrastructure Security Agency Act, the agency sits within the Department of Homeland Security (DHS) and serves as the operational lead for the federal government’s civilian cybersecurity efforts, including the fusion center through which CISA 2015 reports are collected from private and federal entities and shared out with relevant stakeholders.

While CISA 2015 created the framework, CISA the agency is responsible for day-to-day implementation of that framework and other essential cybersecurity efforts. In other words, CISA 2015 lays the groundwork for cooperative cyber protections between public and private actors, while CISA operationalizes those protections. Both are critical. Without reauthorizing and modernizing the statute, CISA would be hamstrung with outdated tools in a changing digital landscape. And without an effective agency, CISA 2015 would be little more than words on paper.

Why is Reauthorization Urgent?

When Congress first passed CISA 2015, it was forward-looking and carefully constructed. Legislators balanced national security with privacy and civil liberties concerns. The bill made information sharing voluntary, not mandatory, and offered narrow liability protections to companies that submitted cyberthreat indicators to the federal government.

This was sufficient when cyberthreats were limited to network intrusions and data theft. In 2025, however, the landscape is drastically larger in scope. Cyberattacks now regularly disrupt pipelines, hospitals, water treatment plants, and even election infrastructure. Additionally, privately owned IT infrastructure has come to form the backbone of government operations, and companies have come to rely on government threat reports to backfill a lack in cybersecurity capacity. The line between a “private sector breach” and a “national security threat” has become dramatically thin, and recent incidents highlight the missing pieces of this legislative puzzle.

How Recent Cyber Incidents Can Inform a Modern Legislative Framework

From SolarWinds to Colonial Pipeline, recent attacks have underscored the need for a faster and more integrated cyber response. In each case, private companies were the first to detect unusual activity. While CISA 2015 authorities allowed for the private sector to quickly share reports with CISA, the voluntary nature of reporting led to a delay in information reaching federal entities and other potential targets.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 helped close part of this gap by requiring certain entities to report major incidents within 72 hours. CIRCIA exists within the broader framework of CISA 2015 and supplements regulations; it does not replace or update CISA 2015. Information sharing under CISA 2015 still governs the vast majority of voluntary, day-to-day data exchanges across industries that fall outside the CIRCIA infrastructure designations.

In short, without modernizing CISA 2015, the federal government risks operating on stale or incomplete threat intelligence. A modernized version of CISA 2015 must emphasize increased cross-government collaboration. That means creating technical and legal mechanisms for agencies like the DHS’s CISA, the FBI, and other sector risk management agencies to share insights directly with each other and with industry partners. It also means updating reporting requirements to Congress to ensure timely dissemination of relevant information. Lastly, it means addressing artificial intelligence and generative technologies that have introduced entirely new dimensions of cyber risk, which the authors of CISA 2015 simply could not have predicted.

A reauthorized CISA 2015 could:

Allow for the inclusion of AI-driven threat analysis in federal information-sharing programs.
Refine the definition of “threat” to include a broader spectrum of early threat indicators related to emerging technologies.
Tighten congressional reporting requirements for CISA 2015 related activities so Congress and the public have a firmer understanding of their value.

These updates are essential in supporting the United States in remaining competitive in a cyber domain increasingly defined by speed, automation, and synthetic intelligence.

A Call for Bipartisan Leadership

Cybersecurity has traditionally been one of the few areas capable of sustaining bipartisan cooperation in Congress. In 2015, the original CISA legislation received overwhelming support in the Senate and the current House version of reauthorization was passed unanimously out of committee in September 2025. Both parties can and should readily recognize that defending America’s digital infrastructure is not a partisan issue.

Reauthorizing CISA 2015 offers lawmakers a tangible, bipartisan victory: a way to modernize an aging legal foundation, empower industry collaboration, and ensure privacy protections simultaneously. It is also an opportunity to empower CISA as the domestic authority to protect and maintain the security of America’s digital domain.

At a time when adversaries are constantly probing our public and private networks and public trust in institutions is fragile, renewing and improving this bipartisan law is both a pragmatic and symbolic act. Updating CISA 2015 signals that Congress remains capable of putting aside partisanship, listening to public concerns, adapting to technological realities, and governing in the national interest.

A guest post by

Jesper Sullivan den Bergh

Issue areas are focused around election infrastructure appropriations and any legislation aimed at protecting the safety of frontline election workers. Reach out if you are looking to discuss his work or the best work events in D.C.

Discussion about this post

Ready for more?